Fwd: GeekTools Whois Proxy and RIPE/RIPE-NCC
This seems odd. I can't seem to find any mention of charging for bulk whois access in the RIPE NCC AGM or the PDP. Am I missing something here? Nick -------- Original Message -------- Subject: GeekTools Whois Proxy and RIPE/RIPE-NCC Date: Mon, 31 Dec 2012 10:41:54 -0500 From: Rodney Joffe <rjoffe@centergate.com> To: nanog@nanog.org NANOG and ARIN Friends, 14 Years ago, at the suggestion of Jon Postel and some of the early participants in NANOG, we developed the GeekTools Whois proxy to make it easier for *us* - network security and abuse techs - to deal with the expanding number of gtlds and registrars and the varied whois servers that were appearing. The service had both a CLI and web interface. The service also led directly to the creation of whois-servers.net, which now seems to be part of a number of *nix distributions. The service has been up for 14 years, and over that time we have fulfilled the requirements of all of the whois server operators in regards to minimizing and stopping abuse of the GT whois proxy by domain scrapers, spammers, etc, while enabling the security folks to do their jobs. In some cases we have even written code to pass the ip address of the requestor to the whois server registry operator when they wanted to manage quota's directly. We think we have a really good relationship with all of the whois server operators, and I think we provide a useful service to the community, and is widely used. And in 14 years we have never been tarred as an enabler of abuse of "the whois" system. There has obviously never been any kind of charge or fee for using the proxy, or any of the other tools on GeekTools. In about 2002 we started placing a banner ad on the web interface page to offset some of the costs for the bandwidth that the proxy consumes. An average of about $70 a month for over the last 10 years. Actual bandwidth costs are higher than that of course, but it was a thought in 2002 that we had frankly forgotten about until recently. Two weeks ago RIPE-NCC, who provide the whois data for IP addresses in the RIPE region, informed us that based on decisions by their members, as of January 1st 2013, tomorrow, they would no longer provide whois proxy query response services to GeekTools unless we ponied up $1,800 a year for RIPE membership. I don't work very well above layer 7. It is what it is. So I wanted to let you know that as of midnight tonight, apparently, you won't be able to use GeekTools for RIPE related queries. If you have automated scripts, and you are one of the users who has expanded access to GeekTools, you'll need to find an alternative for RIPE queries *today*. My guess is that you will be able to query RIPE directly, once you have worked out that the address space is within RIPE's assignments. I think its wrong to have to pay for whois data that is part of a community resource . So I won't do it.
This seems odd. I can't seem to find any mention of charging for bulk whois access in the RIPE NCC AGM or the PDP.
the ncc _seems_ to have taken upon itself, with no public mandate or bottom up process, to incrementally make the nic a members only organization. as the nics are here to serve the internet, this is a major change. if the ncc is not here to serve the internet, then we may need to rethink how we handle internet coordination. somemthing smells very broken here. maybe we are just misinformed. randy
Hi, On Wed, Jan 02, 2013 at 04:40:32AM +0900, Randy Bush wrote:
This seems odd. I can't seem to find any mention of charging for bulk whois access in the RIPE NCC AGM or the PDP.
the ncc _seems_ to have taken upon itself, with no public mandate or bottom up process, to incrementally make the nic a members only organization. as the nics are here to serve the internet, this is a major change. if the ncc is not here to serve the internet, then we may need to rethink how we handle internet coordination.
somemthing smells very broken here. maybe we are just misinformed.
Indeed. I can see the wish to simplify the structure by merging all sorts of contracts "users that pay money for NCC services" into a single bin, labeled "paying members" (like dnsmon, etc) - and I would not object to that. RIPE DB NRTM mirrors(!) have been mentioned to fall under that category as well. OTOH, "proxy whois service" usage never had a price tag, so I find it surprising that this would be part of the "everything that has a price tag needs to be a member now" clause... Anyone from the NCC around who is willing to clarify this? thanks, Gert Doering -- hat wrangler -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
I can see the wish to simplify the structure by merging all sorts of contracts "users that pay money for NCC services" into a single bin, labeled "paying members" (like dnsmon, etc) - and I would not object to that. RIPE DB NRTM mirrors(!) have been mentioned to fall under that category as well.
/* this is a bit of a $subject drift. but there are some large expensive non-NIC projects which are cross-subsidized and not directly charged. i am not sure about looking into each one and charging for it, as i fear that might lead to micro-management and stunt research. let me use atlas as an example. it is quite expensive. if we want decent atlas coverage in china, japan, thailand, ... (just examples), then atlas use has to be open to non-members. this damned internet thing is global. */ but, as i said, $subject drift. my point was NIC services, ip address management and publication of information about ip address management, not the ncc's research and other non-NIC initiatives. the NICs are here to serve the internet, not some small self-serving community. imiho, restricting information of basic NIC data, ip address information, is counter to the basic social contract of the internet. so, as i said, i suspect we may have some miscommunication here. randy
Hi,
This seems odd. I can't seem to find any mention of charging for bulk whois access in the RIPE NCC AGM or the PDP.
the ncc _seems_ to have taken upon itself, with no public mandate or bottom up process, to incrementally make the nic a members only organization. as the nics are here to serve the internet, this is a major change. if the ncc is not here to serve the internet, then we may need to rethink how we handle internet coordination.
somemthing smells very broken here. maybe we are just misinformed.
Yeah, that does sound broken. Let's hope that it is indeed miscommunication. Sander
Hi,
This seems odd. I can't seem to find any mention of charging for bulk whois access in the RIPE NCC AGM or the PDP.
the ncc _seems_ to have taken upon itself, with no public mandate or bottom up process, to incrementally make the nic a members only organization. as the nics are here to serve the internet, this is a major change. if the ncc is not here to serve the internet, then we may need to rethink how we handle internet coordination.
somemthing smells very broken here. maybe we are just misinformed.
Yeah, that does sound broken. Let's hope that it is indeed miscommunication.
Looking at http://www.ripe.net/ripe/docs/ripe-558 (the activity plan for 2013) the RIPE Database Proxy Service is indeed listed as a member-only service, and the members approved of that activity plan. So the NCC and the NCC board can't be blamed for this. The members (and yes: that includes me) should be careful what they vote for... IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. Another point is whether the NCC members are the ones to decide such a change. It is their money that funds the RIPE NCC whois service, but it is not their data... - Sander
Hi, On Jan 2, 2013, at 12:18 AM, Sander Steffann <sander@steffann.nl> wrote:
IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. ` I don't recall approving this change. In the draft [1] published in August 2012 also no mention of making the Proxy Service "members only".
Kind regards, Job [1] http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-...
Hi Job, I looked a bit further and you are right. The activity plan as documented in http://www.ripe.net/ripe/docs/ripe-558 is *not* the same as the one that the members voted on which was announced (http://www.ripe.net/ripe/mail/archives/ncc-announce/2012-September/000612.ht...) and published at http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-.... Appendix 1, which lists the proxy service as member-only, has been inserted *after* the members voted on it. This is so very wrong and totally unacceptable. Now I really demand an explanation from the board! Met vriendelijke groet, Sander Steffann Op 2 jan. 2013 om 00:28 heeft Job Snijders <job.snijders@atrato-ip.com> het volgende geschreven:
Hi,
On Jan 2, 2013, at 12:18 AM, Sander Steffann <sander@steffann.nl> wrote:
IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. ` I don't recall approving this change. In the draft [1] published in August 2012 also no mention of making the Proxy Service "members only".
Kind regards,
Job
[1] http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-...
Hi All I like to have an explanation too. As I also work for SwissIX (a non for profit Exchange in Switzerland) and we have tried to get a DB mirror to build filters against. Regards Matthias On 02/01/13 10:21, Sander Steffann wrote:
Hi Job,
I looked a bit further and you are right. The activity plan as documented in http://www.ripe.net/ripe/docs/ripe-558 is *not* the same as the one that the members voted on which was announced (http://www.ripe.net/ripe/mail/archives/ncc-announce/2012-September/000612.ht...) and published at http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-.... Appendix 1, which lists the proxy service as member-only, has been inserted *after* the members voted on it.
This is so very wrong and totally unacceptable. Now I really demand an explanation from the board!
Met vriendelijke groet, Sander Steffann
Op 2 jan. 2013 om 00:28 heeft Job Snijders <job.snijders@atrato-ip.com <mailto:job.snijders@atrato-ip.com>> het volgende geschreven:
Hi,
On Jan 2, 2013, at 12:18 AM, Sander Steffann <sander@steffann.nl <mailto:sander@steffann.nl>> wrote:
IMHO the proxy service should have never been included in the member-only-services list, and I suspect that many members didn't realize the impact of approving this change in the activity plane. ` I don't recall approving this change. In the draft [1] published in August 2012 also no mention of making the Proxy Service "members only".
Kind regards,
Job
[1] http://www.ripe.net/lir-services/ncc/gm/september-2012/documents/draft-ripe-...
-- Matthias Cramer / mc322-ripe Senior Network & Security Engineer iway AG Phone +41 43 500 1111 Badenerstrasse 569 Fax +41 44 271 3535 CH-8048 Zurich http://www.iway.ch/ GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
Hi, On Wed, Jan 02, 2013 at 10:26:17AM +0100, Matthias Cramer wrote:
I like to have an explanation too. As I also work for SwissIX (a non for profit Exchange in Switzerland) and we have tried to get a DB mirror to build filters against.
DB *mirrors* have been in the list of now-members-only services all the time - they have been costing money for a long time, this is just shifting to the new contract model now. (From a technical pov, all other exchanges manage to build their filters without a local mirror, so maybe that decision needs some thinking :-) ) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
Hi, On Wed, Jan 02, 2013 at 10:21:32AM +0100, Sander Steffann wrote:
This is so very wrong and totally unacceptable. Now I really demand an explanation from the board!
+1 Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
In message <50E1E603.5070707@netability.ie>, at 19:22:43 on Mon, 31 Dec 2012, Nick Hilliard <nick@netability.ie> writes
I wanted to let you know that as of midnight tonight, apparently, you won't be able to use GeekTools for RIPE related queries. If you have automated scripts, and you are one of the users who has expanded access to GeekTools, you'll need to find an alternative for RIPE queries *today*.
It seems to be still working today, but maybe it's still the holiday season in Amsterdam and they haven't "thrown the switch" yet.
My guess is that you will be able to query RIPE directly, once you have worked out that the address space is within RIPE's assignments.
I always use LACNIC's whois, which integrates all the RIRs. Is that another proxy service that will either have to pay up or switch off? (Noting the possibility that this is all a miscommunication). Or perhaps Geektools could use LACNIC for all RIR lookups. -- Roland Perry
participants (7)
-
Gert Doering -
Job Snijders -
Matthias Cramer -
Nick Hilliard -
Randy Bush -
Roland Perry -
Sander Steffann